CVE-2020-1950
First published: Wed Mar 18 2020(Updated: )
A carefully crafted or corrupt PSD file can cause excessive memory usage in Apache Tika's PSDParser in versions 1.0-1.23.
Credit: security@apache.org security@apache.org
| Affected Software | Affected Version | How to fix |
|---|---|---|
| Apache Tika | >=1.0<=1.23 | |
| Oracle Business Process Management Suite | =12.2.1.3.0 | |
| Oracle Business Process Management Suite | =12.2.1.4.0 | |
| Oracle Communications Messaging Server | =8.0.2 | |
| Oracle Communications Messaging Server | =8.1 | |
| Oracle FLEXCUBE Private Banking | =12.0.0 | |
| Oracle FLEXCUBE Private Banking | =12.1.0 | |
| Canonical Ubuntu Linux | =16.04 | |
| Debian Debian Linux | =8.0 | |
| redhat/tika | <1.24 | 1.24 |
| ubuntu/tika | <1.5-4ubuntu0.1 | 1.5-4ubuntu0.1 |
| debian/tika | 1.22-2 |
Never miss a vulnerability like this again
Sign up to SecAlerts for real-time vulnerability data matched to your software, aggregated from hundreds of sources.
Reference Links
- https://www.cve.org/CVERecord?id=CVE-2020-1950 https://nvd.nist.gov/vuln/detail/CVE-2020-1950
- https://bugzilla.redhat.com/show_bug.cgi?id=1822759
- https://access.redhat.com/errata/RHSA-2020:5568
- https://access.redhat.com/security/cve/cve-2020-1950
- https://lists.apache.org/thread.html/r463b1a67817ae55fe022536edd6db34e8f9636971188430cbcf8a8dd%40%3Cdev.tika.apache.org%3E
- https://lists.debian.org/debian-lts-announce/2020/03/msg00035.html
- https://usn.ubuntu.com/4564-1/
- https://www.oracle.com/security-alerts/cpujul2020.html
- https://www.oracle.com/security-alerts/cpuoct2020.html
- https://launchpad.net/bugs/cve/CVE-2020-1950
- https://www.openwall.com/lists/oss-security/2020/03/18/3
- https://github.com/apache/tika/commit/ab8a9ed830ec710a32e4ffdf4989aea3aaea92ef
- https://security-tracker.debian.org/tracker/CVE-2020-1950
- https://bugzilla.redhat.com/show_bug.cgi/show_bug.cgi?id=1822760
- https://ubuntu.com/security/notices/USN-4564-1
- https://www.cve.org/CVERecord?id=CVE-2020-1950
- https://nvd.nist.gov/vuln/detail/CVE-2020-1950
- https://ubuntu.com/security/CVE-2020-1950
Frequently Asked Questions
What is CVE-2020-1950?
CVE-2020-1950 is a vulnerability in Apache Tika's PSDParser that can cause excessive memory usage when processing a carefully crafted or corrupt PSD file.
What is the severity of CVE-2020-1950?
The severity of CVE-2020-1950 is rated as medium with a severity value of 5.5.
Which software versions are affected by CVE-2020-1950?
Apache Tika versions up to and exclusive of 1.24, and certain versions of Oracle Business Process Management Suite, Oracle Communications Messaging Server, Oracle FLEXCUBE Private Banking, Canonical Ubuntu Linux, and Debian Debian Linux are affected by CVE-2020-1950.
How can I mitigate CVE-2020-1950?
To mitigate CVE-2020-1950, upgrade Apache Tika to version 1.24 or later, or follow the recommended updates provided by the respective software vendors.
Where can I find more information about CVE-2020-1950?
You can find more information about CVE-2020-1950 in the references provided on the Apache Tika mailing list, Red Hat Bugzilla, and Red Hat Security Advisory.
- collector/redhat-cve
- collector/nvd-index
- agent/type
- agent/first-publish-date
- agent/remedy
- collector/launchpad-cve
- source/Launchpad
- agent/author
- collector/nvd-cve
- source/NVD
- agent/software-canonical-lookup
- collector/redhat-bugzilla
- source/Red Hat
- alias/CVE-2020-1950
- agent/weakness
- agent/severity
- agent/description
- collector/mitre-cve
- source/MITRE
- agent/last-modified-date
- agent/event
- collector/usn-cve
- source/Ubuntu
- agent/references
- agent/tags
- collector/security-tracker-debian
- source/Debian
- agent/softwarecombine
- agent/trending
- vendor/apache
- canonical/apache tika
- version/apache tika/1.0
- version/apache tika/1.23
- vendor/oracle
- canonical/oracle business process management suite
- version/oracle business process management suite/12.2.1.3.0
- version/oracle business process management suite/12.2.1.4.0
- canonical/oracle communications messaging server
- version/oracle communications messaging server/8.0.2
- version/oracle communications messaging server/8.1
- canonical/oracle flexcube private banking
- version/oracle flexcube private banking/12.0.0
- version/oracle flexcube private banking/12.1.0
- vendor/canonical
- canonical/canonical ubuntu linux
- version/canonical ubuntu linux/16.04
- vendor/debian
- canonical/debian debian linux
- version/debian debian linux/8.0
- package-manager/redhat
- package-manager/ubuntu
- package-manager/debian